In this most recent Patch Tuesday, Microsoft included mitigation for a current Proof-of-Concept (POC) exploit for Windows Defender, CVE-2021-1647. This vulnerability allows for remote code execution from a low privileged user against the Malware Protection Engine component (mpengine.dll). According to Microsoft, an attacker would need to trick a user into opening a malicious document file on a computer with Windows Defender installed to trigger the exploit. A list of vulnerable versions can be found in the advisory here. While there are no publicly documented cases of this exploit being used, Microsoft stated that they were aware of an exploit in the wild that worked in some situations but was not stable. In any case, the criticality of this vulnerability should leave no room for inaction and should be patched immediately. Microsoft released a patch for the Malware Protection Engine that will be applied automatically, without any user interaction unless systems administrators have disabled it.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased